Skip to main content
This section describes how to configure Veeam storage repositories to use CryptoHub for encryption. Storage-level encryption protects all data written to the repository, regardless of individual job encryption settings.

Supported storage types

You can enable CryptoHub encryption for the following storage types:
Storage typeEncryption scope
Capacity tier (scale-out backup repository)All backup data offloaded to object storage
Archive tier (scale-out backup repository)All backup data moved to archive storage
Tape media poolsAll backup data written to tape
GFS tape media poolsAll backup data written to tape using GFS retention
Backup repositories for Veeam Plug-in for Nutanix AHVAll backups stored by the plug-in
Backup repositories for Veeam Backup for OLVM and RHVAll backups stored by the solution
Backup repositories for Veeam KastenAll backups stored by Kasten
Backup repositories for standalone Veeam Plug-ins for Enterprise ApplicationsAll backups stored by standalone plug-ins
Standard backup repositories (Windows, Linux, SMB, NFS) do not support storage-level KMS encryption. Use job-level encryption for backups stored in these repositories.

Enabling encryption for capacity tier

Capacity tier extends a scale-out backup repository to cloud or S3-compatible object storage. Enabling encryption protects backup data offloaded from the performance tier.

Prerequisites

Before enabling capacity tier encryption, verify:
  • A scale-out backup repository exists with a capacity tier configured.
  • CryptoHub is registered as a KMS server in Veeam.

Procedure

1
In the Veeam Backup & Replication console, navigate to Backup Infrastructure > Scale-out Repositories.
2
Right-click the scale-out backup repository and select Edit.
3
In the wizard, select Capacity Tier in the left navigation pane.
4
Select the Encrypt data uploaded to object storage checkbox.
5
In the Password dropdown, select your CryptoHub KMS server.
6
Select Apply, then select Finish.
All backup data offloaded to the capacity tier is encrypted using CryptoHub. Data already present in the capacity tier before enabling encryption remains unencrypted.

Encrypting existing capacity tier data

To encrypt data already present in the capacity tier, you must evacuate the data back to the performance tier, enable encryption, and then allow Veeam to offload the data again.
This operation requires sufficient free space in the performance tier to temporarily hold the evacuated data. Plan accordingly before starting.
1
In the scale-out backup repository settings, temporarily disable the capacity tier by clearing Extend scale-out backup repository capacity with object storage.
2
Select Apply, then select Finish.
3
Wait for Veeam to evacuate data from the capacity tier to the performance tier. Monitor progress in Home > Last 24 Hours.
4
Edit the scale-out backup repository again and re-enable the capacity tier with encryption enabled.
5
Select Apply, then select Finish.
Veeam offloads data to the capacity tier using the new encryption settings.

Enabling encryption for archive tier

Archive tier moves older backups to low-cost archive storage (such as AWS S3 Glacier or Azure Archive). Encryption configuration follows the same process as capacity tier.
1
In the Veeam Backup & Replication console, navigate to Backup Infrastructure > Scale-out Repositories.
2
Right-click the scale-out backup repository and select Edit.
3
In the wizard, select Archive Tier in the left navigation pane.
4
Select the Encrypt data uploaded to archive storage checkbox.
5
In the Password dropdown, select your CryptoHub KMS server.
6
Select Apply, then select Finish.
All backup data moved to the archive tier is encrypted using CryptoHub.

Enabling encryption for tape media pools

Tape encryption protects backup data written to tape media. You configure encryption at the media pool level.

Creating an encrypted media pool

1
In the Veeam Backup & Replication console, navigate to Tape Infrastructure > Media Pools.
2
Right-click Media Pools and select Add Media Pool.
3
In the New Media Pool wizard, enter a name and description, then select Next.
4
Add tapes to the pool and configure media set options, then select Next.
5
On the Options step, select the Enable hardware encryption checkbox.
6
In the Password dropdown, select your CryptoHub KMS server.
7
Complete the remaining wizard steps and select Finish.
All data written to tapes in this media pool is encrypted using CryptoHub.

Enabling encryption for an existing media pool

1
In the Veeam Backup & Replication console, navigate to Tape Infrastructure > Media Pools.
2
Right-click the media pool and select Properties.
3
In the wizard, select Options in the left navigation pane.
4
Select the Enable hardware encryption checkbox.
5
In the Password dropdown, select your CryptoHub KMS server.
6
Select Finish.
Data written to tapes in this media pool after the change is encrypted. Existing tape content remains encrypted with the previous key (if any) or unencrypted.

Enabling encryption for GFS media pools

GFS (Grandfather-Father-Son) media pools use a separate configuration for long-term tape retention. The encryption procedure is similar to standard media pools.
1
In the Veeam Backup & Replication console, navigate to Tape Infrastructure > Media Pools.
2
Right-click Media Pools and select Add GFS Media Pool.
3
Complete the wizard steps for name, media sets, and retention.
4
On the Options step, select the Enable hardware encryption checkbox.
5
In the Password dropdown, select your CryptoHub KMS server.
6
Complete the remaining wizard steps and select Finish.
All data written to tapes in this GFS media pool is encrypted using CryptoHub.

Enabling encryption for standalone plug-in backup repositories

Backup repositories that store data from standalone Veeam plug-ins and additional solutions support storage-level encryption. This includes repositories used by:
  • Veeam Plug-in for Nutanix AHV
  • Veeam Backup for OLVM and RHV
  • Veeam Kasten for Kubernetes
  • Standalone Veeam Plug-ins for Enterprise Applications (Oracle RMAN, SAP HANA, SAP on Oracle)

Procedure

1
In the Veeam Backup & Replication console, navigate to Backup Infrastructure > Backup Repositories.
2
Right-click the backup repository and select Properties.
3
In the wizard, select Repository in the left navigation pane.
4
Select Advanced.
5
In the Advanced Settings dialog, select the Enable backup file encryption checkbox.
6
In the Password dropdown, select your CryptoHub KMS server.
7
Select OK, then select Finish.
All backup data written to this repository by supported plug-ins and solutions is encrypted using CryptoHub.
This encryption setting applies only to backups created by the solutions listed above. Standard VM backups stored in this repository are not affected by this setting; use job-level encryption for those backups.